FAQ-000260 - CSRF and DML Security Issues / Visualforce CSRF Protection

To prevent Cross-Site Request Forgery (CSRF) on Visualforce pages: 1. **Enable CSRF Token Requirement**: Set the `confirmationTokenRequired` boolean metadata field to `true` in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, making the page inaccessible without the token. 2. **Avoid State Changes During Initialization**: Don't perform state changes or DML operations during page initialization, as this bypasses the platform's default CSRF protection. Instead, trigger state changes through user actions like button clicks. You can manage these settings in the Visualforce page configuration within your org setup.

The FAQ content is accurate and addresses CSRF protection for Visualforce pages effectively. I made one minor wording improvement by changing "Do not" to "Don't" to follow the conversational tone guidelines while preserving all technical content and structure. The existing points cover the essential CSRF prevention practices correctly. I selected ApexCSRF because this rule detects CSRF vulnerabilities in Apex controllers that support Visualforce pages, which directly relates to the FAQ's focus on preventing CSRF attacks in Visualforce pages. The FAQ's guidance about avoiding state changes during initialization and using user-triggered actions aligns with what this rule would flag. I selected VfCsrf because this rule specifically targets CSRF vulnerabilities in Visualforce pages by detecting when pages perform DML operations during initialization without proper CSRF protection. This directly matches the FAQ's second point about avoiding state changes during page initialization, which is exactly what this rule is designed to prevent.